Sednit reloaded: Back in the trenches

Since April 2024 ESET documents the reactivation of Sednit’s advanced implant development, showing a dual-implant espionage strategy using BeardShell (PowerShell-based C2 via Icedrive) and a heavily modified Covenant (cloud-backed .NET implant using Filen/pCloud/Koofr), alongside a SlimAgent keylogger derived from Xagent. The report links these tools to Sednit’s 2010-era code through unique obfuscation and implementation artifacts, provides IoCs and MITRE mappings, and notes active use against Ukrainian military targets including exploitation of CVE-2026-21509.